Hi Joe, I had a similar discussion with Kings last year about EzVPN Server on the router. Take a look at archived post, perhaps it will be useful:
http://www.onlinestudylist.com/archives/ccie_security/2011-September/028025.html Regards, Piotr 2012/3/7 Joe Astorino <[email protected]> > I also tried changing the dhcp-network-scope 10.1.100.0 to a host > address in the scope of 10.1.100.254 and adding a /32 host route on > the ASA to this address pointing to the switch, but that still did not > work. > > On Wed, Mar 7, 2012 at 3:04 PM, Joe Astorino <[email protected]> > wrote: > > Hello, > > > > I am trying to modify an ASA configuration such that remote SSL VPN > > users receive an IP address from a DHCP server running on a 3550 > > switch inside instead of from a local pool on the ASA. I want to do > > that because the 3550 switch itself is a DHCP client that pulls in DNS > > server addresses from an ISP. I import those DNS settings into my > > DHCP pools so that I can hand out that DNS information to clients. I > > have modified my configuration as follows > > > > no ip local pool SSLClientPool 10.1.100.50-10.1.100.100 mask > 255.255.255.0 > > no vpn-addr-assign aaa > > no vpn-addr-assign local > > vpn-addr-assign dhcp > > ! > > tunnel-group SSLClient general-attributes > > dhcp-server 10.1.19.9 > > ! > > group-policy SSLClient attributes > > no address-pools value SSLClientPool > > dhcp-network-scope 10.1.100.0 > > > > > > On the switch I have the pool defined > > > > ip dhcp pool SSL-VPN > > import all > > network 10.1.100.0 255.255.255.0 > > > > I see absolutely nothing happening. When the client connects and > > authenticates I just get the following in the log > > > > %ASA-5-737018: IPAA: DHCP request attempt 1 failed > > %ASA-5-737003: IPAA: DHCP configured, no viable servers found for > > tunnel-group 'SSLClient' > > > > The DHCP server is reachable from the ASA via ping. I have even done > > a "debug ip packet" tied to an ACL on the L3 switch that looks at any > > traffic coming from the inside interface of the ASA. It appears the > > ASA never at any point sends the DHCP request at all. > > > > Any ideas? > > > > > > > > -- > > Regards, > > > > Joe Astorino > > CCIE #24347 > > http://astorinonetworks.com > > > > "He not busy being born is busy dying" - Dylan > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
